Practical Techniques for Verification and Validation of Robots - - PowerPoint PPT Presentation

Practical Techniques for Verification and Validation of Robots

Kerstin Eder with a demo by Dejanira Araiza Illan

University of Bristol and Bristol Robotics Laboratory

Would you swallow a robot?

The Safety Challenge

§ Autonomous Systems § Engineering Challenge

– Advances in control science – Focus on “making things work”

3

4 Pictures from www.wikipedia.org

The Safety Challenge

§ Autonomous Systems § Engineering Challenge

– Advances in control science – Focus on “making things work”

§ Fundamental concern:

– Can such systems be trusted?

5

6

Dependability

§ A system is dependable (or trustworthy) only if it can be shown to be safe and useful.

– Safety is the property of avoiding harmful conditions. – Liveness requires that the system achieves its goals a.k.a. usefulness.

§ Demonstrable safety and liveness are required.

7

Safety Assurance

Assurance is the essential concept:

8

§ A system may never cause harm throughout its entire operating life, § but if we cannot be assured of that before we start to use it, then the system can not be trusted.

Designing Dependable Systems

§ Create flawless designs. AND § Design the system in such a way that the flawlessness can be demonstrated.

"Waterfall" by M.C Escher.

EPSRC “Principles of Robotics”

“Robots are products. They should be designed using processes which assure their safety and security.”

10 http://www.epsrc.ac.uk/ourportfolio/themes/engineering/activities/Pages/principlesofrobotics.aspx

To develop techniques and methodologies that can be used to design autonomous intelligent systems that are demonstrably trustworthy.

Verification and Validation for Safety in Robots

11

Correctness from specification to implementation

User Requirements

High-level Specification

Optimizer

Design and Analysis (Simulink)

Controller (SW/HW)

e.g. C, C++, RTL (VHDL/Verilog)

Translate Implement

12

What can be done at the code level?

• P. Trojanek and K. Eder.

Verification and testing of mobile robot navigation algorithms: A case study in SPARK. IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS).

• pp. 1489-1494. Sep 2014.

http://dx.doi.org/10.1109/IROS.2014.6942753

13

What can go wrong in robot navigation software?

Generic bugs:

§ Array and vector out-of-bounds accesses § Null pointer dereferencing § Accesses to uninitialized data

Domain-specific bugs:

§ Integer and floating-point arithmetic errors § Mathematic functions domain errors § Dynamic memory allocation errors § Concurrency bugs

§ blocking inter-thread communication (non real-time)

14

State of the art verification approaches

§ Model checking

§ infeasible for real (off-the-shelf) code

§ Static analysis of C++

§ not possible

§ Static analysis of C

§ requires verbose and difficult to maintain annotations

15

HW Design Reconvergence Model

16

Fabrication Specification Netlist Silicon Chip HW Design

HW Design Reconvergence Model

18

Fabrication Specification Netlist Silicon Chip HW Design Verification Test

§ Design Verification is the process used to gain confidence in the correctness of a design w.r.t. the requirements and specification. § Test: Manufacturing Test vs Functional Test

Tape out

19

Design-for-Test(ability)

http://anysilicon.com/overview-and-dynamics-of-scan-testing/

Design-for-Verification Approach

§ SPARK, a verifiable subset of Ada

§ software reliability a primary goal § no memory allocation, pointers, concurrency § side-effect free functions § SPARK specification and tools freely available for academic use

§ Required code modifications:

§ Pre- and post-conditions, loop (in)variants § Numeric subtypes (e.g. positive) § Formal data containers

20

Navigation in SPARK

§ Three open-source implementations of navigation algorithms translated from C/C++ (2.7 kSLOC) to SPARK (3.5 kSLOC)

• Vector Field Histogram
• Nearness Diagram
• Smooth Nearness-Diagram

21

§ Explicit annotations are less than 5% of the code § SPARK code is on average 30% longer than C/C++

Verification Conditions

22

Formal Verification Results

23

Number of discharged verification conditions and the running time of static analysis

Results

§ Several bugs discovered by run-time checks injected by the Ada compiler

• Fixed code proved to be run-time safe
• except floating-point over- and underflows
• These require the use of complementary techniques, e.g.

abstract interpretation.

§ Up to 97% of the verification conditions discharged automatically by SMT solvers in less than 10 minutes § Performance of the SPARK and C/C++ code similar

24

Moral: If you want to make runtime errors an issue

• f the past, then select your tools (programming

language and dev env) wisely!

Moral

25

If you want to make runtime errors an issue of the past, then you must select your tools (programming language and dev env) wisely!

http://github.com/riveras/spark-navigation

• P. Trojanek and K. Eder.

Verification and testing of mobile robot navigation algorithms: A case study in SPARK. IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS).

• pp. 1489-1494. Sep 2014.

http://dx.doi.org/10.1109/IROS.2014.6942753

26

Correctness from Specification to Implementation

User Requirements

High-level Specification

Optimizer

Design and Analysis (Simulink)

Controller (SW/HW)

e.g. C, C++, RTL (VHDL/Verilog)

Translate Implement Verification

27

What can be done at the design level?

• D. Araiza Illan, K. Eder, A. Richards.

Formal Verification of Control Systems’ Properties with Theorem Proving. International Conference on Control (CONTROL), pp. 244 – 249. IEEE, Jul 2014. http://dx.doi.org/10.1109/CONTROL.2014.6915147

• D. Araiza Illan, K. Eder, A. Richards.

Verification of Control Systems Implemented in Simulink with Assertion Checks and Theorem Proving: A Case Study. European Control Conference (ECC), pp. tbc. Jul 2015. http://arxiv.org/abs/1505.05699

28

What is an assertion?

§ An assertion is a statement that a particular property is required to be true.

– A property is a Boolean-valued expression

§ Assertions can be checked either during simulation or using a formal property checker. § Assertions have been used in SW design for a long time.

– assert() function is part of C #include <assert.h> – Used to detect NULL pointers, out-of-range data, ensure loop invariants, etc.

§ Revolution through Foster & Bening’s OVL for Verilog.

– Clever way of encoding re-usable assertion library in Verilog. J – > 30 checker types (assertion templates) – http://accellera.org/activities/working-groups/ovl

30

31

TYPE NAME PARAMETERS PORTS DESCRIPTION

PARAMETERS USING OVL DESIGN ASSERTIONS INPUT ASSUMPTIONS severity_level +define+OVL_ASSERT_ON Monitors internal signals & Outputs Restricts environment `OVL_FATAL +define+OVL_MAX_REPORT_ERROR=1 `OVL_ERROR +define+OVL_INIT_MSG Examples Examples `OVL_WARNING +define+OVL_INIT_COUNT=<tbench>.ovl_init_count * One hot FSM * One hot inputs `OVL_INFO * Hit default case items * Range limits e.g. cache sizes property_type

+libext+.v+.vlib

* FIFO / Stack * Stability e.g. cache sizes `OVL_ASSERT

• y <OVL_DIR>/std_ovl

* Counters (overflow/increment) * No back-to-back reqs `OVL_ASSUME

+incdir+<OVL_DIR>/std_ovl

* FSM transitions * Handshaking sequences `OVL_IGNORE * X checkers (assert_never_unknown) * Bus protocol msg descriptive string

OVL QUICK REFERENCE (www.eda.org/ovl) Last updated: 28th April 2006

32

Who writes the assertions?

DUV

System Architects Designers / Developers Verification Engineers IP Providers Standards

Implementation Assertions

§ Also called “design” assertions. § Specified by the designer/developer.

– Encode designer’s assumptions.

• Interface assertions

– Catch different interpretations between different designers.

– Formulate conditions of design misuse or design

faults:

• detect buffer over/under flow
• signal read & write at the same time when only one

is allowed § Implementation assertions can detect discrepancies between design assumptions and implementation.

Specification Assertions

§ Also called “intent” assertions

– Often high-level properties.

§ Specified by architects, verification engineers, IP providers, standards.

– Encode expectations of the design based on

understanding of functional intent.

– Provide a “functional error detection” mechanism. – Supplement error detection performed by self-checking

testbenches.

• Instead of using (implementing) a monitor and

checker, in some cases writing a block-level assertion can be much simpler.

§ Assertions are able to detect a significant percentage

• f design failures:

Assertions should be an integral part of a verification methodology.

Do assertions really work?

[Foster etal.: Assertion-Based Design. 2nd Edition, Kluwer, 2010.]

Simulink Diagrams in Control Systems

§ Simulating the control systems § Analysis techniques from control systems theory (e.g., stability) § Serve as requirements/specification § For (automatic) code generation

Code

Control systems design level Implementation level

37

Stability

High-level (abstract) control requirement

Verifying Stability

38

Stability Sub-requirements (parametrized) Matrix P > 0 (Lyapunov function) Matrix P−(A−BK)T P(A−BK) > 0 (Lyapunov function's difference) Equivalence

V(k)-V(k-1) = x(k-1)T [(A−BK)T P(A−BK)-P]x(k-1)

(Lyapunov's equation application) From control systems theory → Lyapunov's second method for stability: Propose Lyapunov function that is

• Positive definite
• Monotonically decreasing

Verifying Stability

39

Stability Matrix P > 0 (Lyapunov function) Equivalence

V(k)-V(k-1) = x(k-1)T [(A−BK)T P(A−BK)-P]x(k-1)

(Lyapunov's equation application) Add as assertions Capture control systems requirements Retain in code implementation Matrix P−(A−BK)T P(A−BK) > 0 (Lyapunov function's difference)

Verifying Stability

Assertion-Based Verification

41

Stability Matrix P > 0 (Lyapunov function) Equivalence

V(k)-V(k-1) = x(k-1)T [(A−BK)T P(A−BK)-P]x(k-1)

(Lyapunov's equation application) Matrix P−(A−BK)T P(A−BK) > 0 (Lyapunov function's difference)

Test in simulation

Combining Verification Techniques

42

Automatic theorem proving

First order logic theory of the Simulink diagram

Axiom: Bu = B * u ... … Goal: vdiff == vdiff_an

Estimators and controllers Stability Functional equivalence Feasibility (constraint satisfaction) Systems in series

Case studies

Hybrid systems

Moral

44

No single technique is adequate to cover a whole design in practice. Combine techniques and learn from areas where verification is more mature.

http://github.com/riveras/simulink

• D. Araiza Illan, K. Eder, A. Richards.

Formal Verification of Control Systems’ Properties with Theorem Proving. International Conference on Control (CONTROL), pp. 244 – 249. IEEE, Jul 2014. http://dx.doi.org/10.1109/CONTROL.2014.6915147

• D. Araiza Illan, K. Eder, A. Richards.

Verification of Control Systems Implemented in Simulink with Assertion Checks and Theorem Proving: A Case Study. European Control Conference (ECC), pp. tbc. Jul 2015. http://arxiv.org/abs/1505.05699

45

DEMO 1:

How to verify control systems implemented in Simulink with assertion checks and theorem proving. A simple case study.

46

Any questions? Kerstin.Eder@bristol.ac.uk Dejanira.AraizaIllan@bristol.ac.uk

Thank you

Special thanks to Dejanira Araiza Illan, David Western, Arthur Richards, Jonathan Lawry, Trevor Martin, Piotr Trojanek, Yoav Hollander, Yaron Kashai, Mike Bartley, Tony Pipe and Chris Melhuish for their hard work, collaboration, inspiration and the many productive discussions we have had.